What's new

Access point with multiple SSIDs mapped to multiple VLANs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rama

New Around Here
Hi, networking newbie here. I have opnsense set up on a mini PC and have just bought a TP link eap670 to use as a wifi AP. I have a both IoT devices and trusted devices (laptop, phone, etc) that are connected to my wifi so wish to have multiple SSIDs on my AP mapped to multiple VLANs (i.e one ssid and vlan for trusted devices and another for untrusted). Is this possible?

What I've read so far seems to indicate that each ethernet port can be tagged with one VLAN so how would the I have the single ethernet port to the AP mapping different VLANs? I'm sure this is a very stupid question but I'm also only just getting started out with networking so any help would be greatly appreciated

TIA
 
A port can be tagged in one or more VLANs, untagged in one VLAN or untagged in one and tagged in one or more VLANS.
 
Yeah, the one port can definitely carry all your VLANs ... the concept wouldn't be much use otherwise. I don't know too much about these TP-Link units, but I do know that TP-Link mainly expects them to be managed through their "Omada Controller" software. It could be that managing VLAN associations is something that can only be done through that and not from the unit's standalone management GUI.
 
Note if Multi-SSID works the same as on my TP-Link WA-801 then each VLAN you use for a SSID will show up as tagged on the Ethernet port.
For example
SSID1 VLAN 7
SSID2 VLAN 20
SSID3 VLAN 300
VLAN 7, 20 and 300 will be tagged on the Ethernet port.
 
Okay thanks for the help. I run home assistant on a raspberry pi mostly to automate some yeelight smart bulbs and a ZigBee gateway with child devices. I plan to move the home assistant and all IoT devices to a seperate vlan from my laptop and phone for security purposes.

Will this break any of my automations or functionality? I assumed it wouldn’t matter as long as home assistant and the IoT devices are on the same VLAN. I also assume I’ll have to put in a rule to allow me to access the web GUI for home assistant as well. Any other rules I might need to setup? Thanks in advance
 
i have recently set up a guest network using VLAN on my pfsense, switch and three WAP571 AP's. In the end, it was much easier than i thought. I configured the port from the router and the 3 ports that are connected to the AP's as trunk ports in the switch, configured the VLAN in the AP's with a separate SSID and created a VLAN in pfsense assigning the VLAN interface to the LAN port of the router. After that, set up a separate DHCP server in pfsense for the VLAN interface. Last but not least, add a couple of rules on the VLAN interface firewall to allow internet access (if needed) and block access to other LAN interfaces.

That did it for me.
 
i have recently set up a guest network using VLAN on my pfsense, switch and three WAP571 AP's. In the end, it was much easier than i thought. I configured the port from the router and the 3 ports that are connected to the AP's as trunk ports in the switch, configured the VLAN in the AP's with a separate SSID and created a VLAN in pfsense assigning the VLAN interface to the LAN port of the router. After that, set up a separate DHCP server in pfsense for the VLAN interface. Last but not least, add a couple of rules on the VLAN interface firewall to allow internet access (if needed) and block access to other LAN interfaces.

That did it for me.
@ddaenen1 - when you set this up, did you need to assign static IPs to the WAP571s? And if so, is that set within pfSense somewhere?
 
All my wired devices have static IP's. I do however set them in pfsense and leave the device configuration on DHCP. It is important that you allocate the static IP's in pfsense outside of the DHCP range. So my DHCP server is configured from 192.168.1.10 to 192.168.1.199 and above is allocated for static IP's. The easiest way is to allow the device to connect via DHCP and once you see it in the list of DHCP leases, you can click the white box with the '+' on the right side of the listed lease as below.
Screen Shot 2023-02-22 at 19.52.31.png

Then you define the IP you want it to have in the IP address field, define a host name and when the lease expires it will move to defined the static IP address. It is really that simple. Hope this helps.



Screen Shot 2023-02-22 at 19.54.20.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top